Packets, pcaps, Python and Maltego

Projects

Disclaimer

This is my personal blog, all data and information provided on this site is for informational purposes only. The views expressed on these pages are mine alone and not those of my employer.

I will from time to time post something that might be slightly or massively inaccurate, this is not due to laziness but merely to the fact that I'm not perfect and let’s face it neither are you, otherwise you wouldn't be reading my blog (unless Google lied to you..).

I welcome all comments and emails, which are presented in a positive and constructive manner, however I withhold the right to delete or not publish any comments that I feel are "negative". After all if you are taking the time to read and then comment why not do it in a positive manner.

Site Admin

Pen Testing

A few days ago on twitter @markofu posted a tweet which at the time I didn’t give much thought to, but on reflection was actually true (especially in my case). The tweet went something like this.

“Hi..How do I get into security, I want to be a pen tester??” -> why?? “I dunno, cos it’s cool”

This post is all about my perspective on this subject, it is in no means set in stone and as always I’m happy to talk about it further if people wish (that’s what comments are for).

Now as this is my blog, this post will focus on me, well to be more accurate, on my interpretation of this tweet. So before we begin lets rewind the hands of time and take a journey into my past.

Many many many years ago I watched a movie called Sneakers, if you haven’t seen it then watch it if you have the time. It’s basically a movie about a team of misfits who get paid to break into companies and steal data (on behalf of said company), sound familiar?? Yep it’s a Red Team basically and back then it’s what drew me into IT and IT Security.

My first experience of InfoSec was when I was at college and I got my first computer (I was a late starter), I remember spending hours writing a Microsoft Word macro that would encrypt and decrypt text within a word document. In my first IT role (back in the days of hubs) I wrote a proof of concept paper on how a “hacker” could use a packet sniffer and collect the clear text telnet data that was sent to the Unix server, to take it even further I then described how you could “steal” money from that system.

Fast forward to 2012, and I finally get around to pursuing the world of InfoSec more (feel free to add any number of lame and half arsed excuses into why it took so long). I set myself a goal to not only learn more about Information Security but to also try to “break” into the tight-knit infosec community that seems (in my experience and opinion) quite daunting and “alien”. Over the last 7 months I think I’m made good progress, I’ve started this blog, wrote my Scapy guide, attending (well actually worked) at BSides London, taken part in UK Cyber Security Challenges and tried to learn as much as possible.

So what you may be asking is this all leading to and what does it have to do with the Tweet at the start??

You see just before Christmas @markofu was interviewed on @securityninja’s blog in a post called “Random Thoughts on Education & Learning“, I posted a comment asking for advice about how to “break into security” (that’s a well used phrase) and one of the suggestions was the InfoSec Mentor Project.

During the sign-up process (to be a mentee, and I’m still looking for a mentor), one of the questions is about what you would like be able to do once you get a mentor (well something along those lines) and I wrote “Be able to perform Penetration Tests”. Why?? Honestly because at the time I thought it was COOL. No I’m not joking either, the reason being is that for me being a Penetration Tester is the closest you can legally get to being a real life “hacker” (without getting into trouble).

I mean lets face it, what doesn’t sound cool about a job where you get to “hack” into other people’s computer systems and pit your skills and abilities across a never-changing landscape of firewalls, servers and network infrastructure??

The reality though is a lot different, the level of knowledge, experience and skill means becoming a pen tester isn’t as simple as taking a course or practicing in a test lab, it’s about real world, never-ending experience and that’s it’s not easy to just jump into it as a career and if you have an already established career it’s not always something you can achieve, without some sacrifices (there are always exceptions of course).

So here’s the twist (well sort of), I’m going to start my OSCP course soon, which will teach me essentially how to perform penetration tests (that’s still cool right?), however I don’t necessarily want to focus on pen testing, but courses like the OSCP are still very important for people like me because regardless of what area I chose to focus on, I still need to understand how attacks work and be able to test and verify things on my own (good solid foundation).

You see over the last few months I’ve discovered (on my journey to become a pen tester) that I actually have more interest in other areas of infosec that might not have come to light, if I wasn’t focused on learning about pen testing.

Make sense so far??

So once my OSCP course is done (and hopefully I pass) I’m going to change my focus from pen testing to one of the areas below (or maybe all of them):

1. Exploit writing – This still confuses the hell out me but being able to write code to exploit software seems like something I would enjoy getting more into.

2. IDS/IPS – Despite not being a packet ninja (or networking person by profession), there is something intriguing about being able to dissect network packets, identify attacks and understand how to stop them.

3. Malware analysis – To be honest I’ve just added this to my list (I wanted 3 items on my list), but again it’s one of those areas that I get to take apart other people’s work (the malware writers), analyse it and then work out how to identify and stop it.

I will of course still continue to build on the skills I’ve started to develop at the moment but I want that focus on one area (or 3) because for me that’s a better fit and I really do want to give something to the infosec community (not in a dirty way either).

So are Penetration Testers cool? Hell yeah, I’ve met a few, worked with a few and to be honest what they do on a daily basis is both scary and awe-inspiring at the same time, so I can understand why people associate pen testers with “COOL”, but sometimes you have to dig a little deeper to find your “niche”.

You may remember that in some of my previous blog posts I mentioned that I was studying for my Security+ exam, well the good news is that I passed the exam nearly 2 weeks ago (there isn’t any bad news). The Friday just gone, I had a meeting with my big boss at work and he agreed that I could get funding for my next certification, what’s even better is that he was happy for it to be the OSCP (Offensive Security Certified Professional) course…🙂

It’s going to take a few weeks before all the necessary work related paperwork is sorted and I can start the course. Not wanting to wait I’ve already started researching and studying some of the areas I know I need to understand better before I start the course and I’ve started preparing the necessary “environments” so I can practice.

1. Download the PWB (Pentesting with Backtrack) syllabus, so I can work out my “weak” areas.
2. Build a virtual test lab so I can practice, this includes an installation of Backtrack 5 R2, Windows XP, Metasploitable 2 and LAMP Security VM’s. I am using VMware Workstation (perk of being a VCP) so I can configure multiple networks and all my VM’s run off a 32GB SD card in my laptop.
3. Read other people’s reviews of the OSCP exam just to get an idea of what to expect.
4. Practice my documentation skills in my lab environment.

Now there are a couple of things that both worry me and excite me about this course (and the exam), I’ve read some post OSCP reviews and the general theme is “It’s not easy”, but you learn a LOT, the other thing that worries me is the report writing that you MUST complete at the end of the exam in order to pass. Now I’ve never written a report like this before so for me it’s a worry, not something I can’t overcome, I just need to practice and get familiar with.

In a weird way I’m actually really looking forward to the exam, 24 hours to break into a number of hosts using all your skill, imagination and determination sounds like awesome fun. I’ve already accepted that I won’t sleep during those 24 hours but I don’t care (the joys of working overnight means it doesn’t bother me much anymore). I’ve also accepted that leading up to the exam I will spend many many many hours in front of my laptop studying and practicing but again to me that’s fun as well..

I obviously can’t post anything about the actual course or the exam content but I will post updates on how I am doing and if I find a new technique along the way I will try to post it up on my blog.

Hello, apologises for the lack of posting I’ve been revising for an exam (which is tomorrow), regardless of that yesterday I took part in my first Cyber Security Challenge UK, I’ve never tried this sort of challenge before so was a bit nervous as to what to expect, in the end I scored 24/39 which I’m happy with to be honest. I learnt some new stuff and enhanced some of what I had locked away in my brain and it was awesome fun.

The only problem is that I want to do more of them, not only are they fun but it’s a great way to learn. The problem is in the UK there don’t seem to be many “hacker” challenges for people to take part in. Then tonight I was tweeting with @tamonten (who just beat my score on the challenge in a shorter time period…)

I then had an idea (yeah dangerous I know), what’s to stop me from creating some challenges for people to try, don’t get me wrong I’m not a security “expert” (just felt a bit sick typing that) but then I remembered a saying one of my old martial arts instructors use to say “Don’t be shy, give it a try” (just before I ended up on the floor in pain).

So once the evil exam of doom is out of the way (it’s not that bad I just hate exams) I’m going to start trying to come up with some security challenges, just small ones to start with then maybe moving onto bigger things. I think it’s a good way for me to learn stuff and, well to be honest as long as I’m having fun that’s all I care about..🙂

As always this isn’t just about me (honest), it’s about the community so if you have an idea (but not the time) for a challenge let me know (full credit will go to you) and I will try and make it happen. I am going to try and cover a few areas but like I said I’m still new at this so might take me a while to get started.

First of a big thanks to @achillean and his awesome website over at http://www.shodanhq.com, the amount of information that gets collected and stored is mind-blowing. I had a brief email conversation with John when I decided to write this blog and at the time there were over 70 million records stored in ShodanHQ.

So to the point of this blog post, in my current job I work a lot on e-commerce type stuff, mostly because I’m responsible for the load balancers we use (if you’ve read this blog before you might be able to guess what they are..). Part of that work means every now and again I get sent the output of our regular pen tests to answer questions or fix “holes”.

One of the most common “holes” I fix is what the external pen testers call “Environment Disclosure Information“, which in layman’s terms means you are giving out more information that you should to external people when they visit your websites.

This is an example HTTP header extract from a website, which will highlight the sort of stuff I mean:

Now remember I’m no security expert but to me this amount of “free” information about your web environment is both unnecessary and well to be fair a bit sloppy.

Looking at the HTTP header above an unethical type of person can determine the type of server you are running (Server: Omniture DC/2.0.0) and the version its running. Which would make it easier when looking for known vulnerabilities, and you can tell that they have at least 4 web servers (xserver: www4) providing this content (which means some sort of load balancing).

This is another HTTP header from a rather “large” software company that like Marmite you either love or hate..

Again you will see that the Server: HTTP header is still there, so is this really a security concern? Do pen testers just highlight it as something to put in a report??

Now onto the cool stuff (well it’s cool to me), if you have ever used ShodanHQ you will know that there is an API available, and if you pay a small amount of $$ you can get a lot of functionality. I decided to use that API and write a ruby script that would look through the 70 million records and give me the total number of results that matched some of the most popular HTTP server headers.

This is my code (I have compared the numbers against individual searches with the same server header).

Yes yes I know, surely someone can’t be using IIS/1.0 but I did triple check that result..🙂 To me that’s a lot of people who either don’t care about hiding this information, or like I said earlier it’s not really a big issue.

So lets take it one step further, ShodanHQ also lets you search the exploitdb using the API. Using the ruby script available from the documentation I ran it against Microsoft IIS/6.0 (the most popular IIS version from my research). Using the script I got 6 “known” exploits back (see below).

So to make things a bit easier as I wander along the path of self enlightenment (or in this case learning more about InfoSec) I thought it was about time I built some sort of “lab” at home, so I can get a better idea of what happens when I say run a nmap scan and to give me something to scan against.

Now it may come as a surprise to you but in the 15 years I’ve worked in IT I’ve never had a server at home.. nope never.. and to be honest I don’t think I need a server now to achieve the results I’m after. Now this is MY lab, its not huge, fancy or flash but it is portable and its low maintenance.

You see some people would (and are entitled to) say that the point of a lab is so you can break things (and learn how to break things) for me, the purpose of my lab was the opposite, well sort of. You see I know what firewall logs say during a port scan, but I don’t know what a port scan looks like in terms of the actual packets sent/received. I’ve got a lot to learn and rather than download a “exploitable” VM and well exploit it I wanted to start at the very beginning.

So my lab setup is very simple.

I have a HP Mini Note 2133 running Security Onion, this is for a mixture of packet captures and IDS alerts. It uses a wireless NIC for the management interface and it’s onboard LAN for the sensor. I have a Checkpoint Safe@Office 500 firewall which will have it’s WAN connection plugged into my home network and I will open ports/services as I need to. Then finally I have my laptop which I will use to either scan the firewall and/or write packets with scapy and run packet captures as I go.

My plan (it’s always good to have a plan) is that to start with the firewall blocking everything, I can review the packet captures and actually see the real responses back (as opposed to the script telling me), when I start working with scapy I can write custom packets and see what effect that has. Then I can slowly start to open ports and compare the results with my initial baseline.

This of course might be the completly wrong way to do things, but to me it makes sense. If I can understand what happens in relation to the packets I hope it will give me a more complete understanding of how things work.

Below is a quick and simple diagram of my lab, written by the way with DroidDia (yes there is a droid version of Dia).

Let me know what you think (if you want) and I will let you know how I get on.

At the beginning of the week I wrote here about the Cookie’s that the Netscaler uses for persistence. In that post I explained how I discovered that the Cookie name was encrypted using a simple substitution cipher. The cookie value itself was encrypted to contain the Service IP (the IP of the server that your session sticks to) and the Service Port.

I assumed that this part of the cookie was encrypted using a “real” encryption method such as SHA-256 or some other similar cipher. I spent the next couple of days looking online to see if I could match the cookie length and output (it’s all Hex) to a cipher. In the end I gave up, not because it was too difficult but because I thought of a more cunning plan..🙂

This is an example Netscaler cookie (and by example I mean from a website on the internet);

My previous post dealt with how the “encrypted” cookie name was formed (that’s the bit up to the ‘=’), this post is about the 8 characters after the ffffffff (everything else after that apart from the last 4 characters seems to be padding).

This is what I knew about the encrypted values:

1. The cookie started with ffffffff which I believed was not required to identify the Service IP.
2. The output was Hex, so I assumed that there must be some way to reverse engineer the encryption back to the real IP.
3. The encrypted value for each octet of the IP address was not encrypted using the same method (I knew that because when looking at cookie value I could see the same IP octet encrypted to different values in the cookie).
4. The encrypted values were consistent across different Netscalers (ruling out the encryption being based on appliance specific details i.e. hostname or MAC address).

In order to decrypt the Service IP out of the cookie I could decided that using a VPX (Virtual Netscaler) I could generate a cookie value for each of the 255 IP address in each octet, armed with the power of Excel and Notepad I generated the necessary Netscaler config to create my samples and then using this command on the Netscaler;

show lb vserver [vserver name] | more

This allowed me to see each server and the matching Netscaler cookie value. I started entering these into Excel with the “real” IP value. I had worked through about 60 of the last octet (starting at x.x.x.0) when I realised that I was seeing a pattern. To work out the pattern I took a wild guess (they are the best sometimes) and tried this in Excel;

=HEX2DEC(CELL)-Real Value

This was the breakthrough I was looking for.. and here’s why

On the last octet of the IP address the Hex value 11 was really 0 if you the formula above you get the result “17”, use this formula for the next 16 real values (remember I have collected 60 already from earlier) and you see the following pattern:

The next 16 after this repeated first example, in fact all of the decryption for each octet required a repeating pattern, I just needed to find the key. Before rushing ahead I used the 2 patterns above to fill the remaining last octet of 255 addresses but I swapped the formula to create the Netscaler Hex value (and save myself sometime);

=DEC2HEX(Difference+Real Value)

I then double checked this was correct by looking at my other generated cookie values and checking some from another 2 Netscalers that use this method in “live”. I was one happy geek, I then needed to do the same pattern matching for the other 3 octets, but because I knew I was looking for a pattern I only needed to generate a smaller sample set to work with.

Whereas the first pattern I discovered was based on chunks of 16 the others weren’t, the first octet is using the numbers 1 & 3 in chunks of 4 (and the negative values for these as well), the second octet is just based on 8’s in chunks of 8(+8 and -8), and the third was totally random (not the pattern, more the logic behind it) and work on 2,6,10,14,18,22,26 & 30 in chunks of 16 again(and then the negative versions).

Rather than boring you with pages of information I’ve produced a PDF with it all in here.

So I’ve tested this as much as I can, and it works, the cookies I’ve looked at (where I know the Service IP) matches against this decryption sheet and again that is over 4 different Netscalers, running different appliances, IP addresses and versions of firmware.

Once I learn how to write in some sort of programming language I am hoping to write this into an application, where you can input the cookie value and it will provide you the decrypted values, I can think of a couple of uses outside of Netscaler administration and I’m sure any Pen Testers/Ethical Hackers reading this can probably think of a few more..🙂

So to recap, I now know how to decrypt the Load Balancer name from the Cookie name and the Server IP from the Cookie value, the remaining part is the Service Port but I’m not too worried about that (at the moment) as I know that it if a Netscaler cookie ends 3660 then it’s port 80.

Let me know if you have any questions or feel that my maths is wrong somewhere along the line..

Hello reader, hope you are enjoying this festive time of year and are looking forward to the new year just around the corner.

I’ve mentioned before in my blog that a “passion” of mine is IT Security (or InfoSec), it’s something that I’m going to be dedicating a lot of time towards during 2012. At the moment I am reading a lot of InfoSec books most around penetration testing and related materials.

A few of the books keep talking about the process of a penetration test, and then describe them in detail. This is great, however I like to have some visual aid that I can refer back to without going through a book each time.

With that in mind I headed off to Google to see if I could find a diagram that was already “in the wild”, but alas I couldn’t find one, so I’ve created my own..🙂

It’s a very basic diagram but it helps me remember the steps needed when performing a pen test. I’ve colour coded some of the boxes, green boxes are functions or actions that you can perform without getting into trouble (always check your local and state laws first), red boxes are things you shouldn’t do without the permission of the people you are pen testing. You will notice that War Driving is marked red, this is because it’s a bit of a gray area in terms of what is and isn’t legal (always better to be safe than sorry).